The CyberWire Daily Briefing for 11.13.2013

Cyber Attacks, Threats, and Vulnerabilities

Arab Hackers Target Israeli Facebook Users (Arutz Sheva) Hackers from Tunisia and Gaza break into the Facebook accounts of some 13,000 Israelis, make public a list of usernames and passwords

Anonymous claims Parliament Wi–Fi hack during London protest (The Register) Cyber assaults 'slow traffic' as miscreants slurp email logins

Nation–state likely behind attack on IE zero–day flaw (CSO) Nation-state intending to compromise specific machines sponsored attack discovered by FireEye

The operations of a cyber arms dealer (Help Net Security) FireEye researchers have linked eleven distinct APT cyber espionage campaigns previously believed to be unrelated, leading them to believe that there is a shared operation that supplies and maintains malware tools and weapons used in them

Malicious multi–hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits (Webroot Threat Blog) Sharing is caring. In this post, I'll put the spotlight on a currently circulating, massive -- thousands of sites affected -- malicious iframe campaign, that attempts to drop malicious software on the hosts of unaware Web site visitors through a cocktail of client-side exploits. The campaign, featuring a variety of evasive tactics making it harder to analyze, continues to efficiently pop up on thousands of legitimate Web sites. Ultimately hijacking the legitimate traffic hitting them and successfully undermining the confidentiality and integrity of the affected users' hosts

Web site of Brazilian 'Prefeitura Municipal de Jaqueira' compromised, leads to fake Adobe Flash player (Webroot Threat Blog) Our sensors just picked up an interesting Web site infection that's primarily targeting Brazilian users. It appears that the Web site of the Brazilian Jaqueira prefecture has been compromised, and is exposing users to a localized (to Portuguese) Web page enticing them into installing a malicious version of Adobe's Flash player. Not surprisingly, we've also managed to identify approximately 63 more Brazilian Web sites that are victims to the same infection

Adobe credentials and the serious insecurity of password hints (Troy Hunt) Adobe had a little issue the other day with the small matter of 150 million accounts being breached and released to the public. Whoops. So what are we talking about? A shed load of records containing an internal ID, username, email, encrypted password and a password hint. Naked Security did a very good write up on Adobe's giant-sized cryptographic blunder in terms of what they got wrong with their password storage so I won't try to replicate that, rather I'd like to take a look at the password hints

Bogus New Outlook Settings Lead to UPTRE Malware (Trend Micro Threat Encyclopedia) Email is the primary means for business and customer communications. As such, cybercriminals typically use spam email as an infection vector in order to infect system and consequently, penetrate an enterprise network

iPhones can be hacked while charging (USA Today via WTSP) Apple's iPhone has won praise over its resistance to hackers, but university researchers have revealed you can still be vulnerable

Mobile Threat Monday: London Transit App and Android Backup App Leak Personal Info (PC Magazine) In the name of design and usability (and sometimes security) the activities of most apps are hidden from the user. We have to trust that developers will keep our personal information safe and our data away from those who would steal it. But as Appthority shows in their analysis this week, that's not always the case

Android malware targets woman drivers in Saudi Arabia (Graham Cluley) Irfan AsrarIrfan Asrar is a security researcher focusing on threats targeting embedded and mobile devices. In this article he explores how hackers attempted to infect the Android devices of users protesting against a Saudi Arabian ban on women drivers

Hack of MacRumors forums exposes password data for 860,000 users (Ars Technica) Assume your password is known, site's top brass tells account holders

Chinese bitcoin exchange vanishes along with $4.1m in bitcoins (Help Net Security) Another bitcoin exchange has shut down, taking approximately $4.1 million worth of its clients' bitcoins with it and, according to CoinDesk, foul play from its operator is suspected

Bitcoin Online Exchange in Czech Republic Hacked (ABC News) An online exchange that trades the digital currency bitcoin in the Czech Republic says it has been attacked by hackers

Rotech Healthcare Admits Data Breach (eSecurity Planet) A former employee only recently discovered that she had taken sensitive data with her by mistake when she left the company in 2010

British bank account data is under threat (Help Net Security) Bitdefender warns that 0.5 per cent of all spam sent worldwide is targeting customers of some of the most popular British financial institutions and services, including PayPal, Lloyds Banking Group, HSBC Holdings and Barclays Bank

MongoHQ data breach a cautionary tale for startups (Trend Micro Simply Security) In late October, database-as-a-service provider MongoHQ became the victim of a spear-phishing attack that resulted in spam issues and possible data theft for many of its clients, including social media scheduler Buffer and iPhone calendar application Sunrise. Hackers successfully exploited porous network security, obtaining credentials that happened to be shared between a personal employee account and an internal MongoHQ application

Sandbox Overloading with GetSystemTimeAdjustment (JoeSecurity) Lately we came across an interesting sample (MD5: b4f310f5cc7b9cd68d919d50a8415974) we would like to share with you. An initial analysis spotted

Malicious PDF Analysis Evasion Techniques (TrendLabs Security Intelligence Blog) In many exploit kits, malicious PDF files are some of the most common threats used to try to infect users with various malicious files. Naturally, security vendors invest in efforts to detect these files properly — and their creators invest in efforts to evade those vendors

A Study in Bots: Indonesian Bots (Cylance Technical Blog) In the past year or so, I have seen a large increase in scanning activity coming out of Indonesia. The scans are primarily for HTTP servers running vulnerable web applications, with a heavy focus on CMS applications like WordPress and Joomla

No, Stuxnet Did Not Infect the International Space Station (Tom's Guide) Did the Stuxnet cyberweapon infect the International Space Station? Almost certainly not, but that hasn't stopped a lot of media outlets from saying so in bold headlines

Obamacare Manager Missed Key Memo on Security Risks (Fiscal Times via Yahoo! News) One month before HealthCare.gov went live, a memo was circulated within the agency responsible for building it, revealing that the website central to Obamacare's implementation contained "limitless" security flaws that could lead to identity theft and breaches of consumers' health data

Security Patches, Mitigations, and Software Updates

Patch Tuesday November 2013 — Microsoft, Adobe and Google (Naked Security) November's Patch Tuesday includes updates not just from Microsoft, but Adobe and Google as well. Critical patches for Internet Explorer, Chrome and Adobe Flash Player lead the way this month

Microsoft issues 8 security bulletins, but postpones zero–day fix (FierceITSecurity) Critical vulnerabilities in Internet Explorer, Windows should take priority, advise researchers

Facebook locks users in a closet for using same passwords/emails on Adobe (Naked Security) If you've used the same email account/password combo on Facebook and Adobe, Facebook has probably already pushed your account into a closet and locked the door

Microsoft warns customers away from SHA-1 and RC4 (Threatpost) The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said that is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm

Cyber Trends

Defenders Still Chasing Adequate Threat Intelligence Sharing (Threatpost) At the Advanced Cyber Security Center annual conference, prominent security experts continue to advocate for attack and threat intelligence sharing and hint at automating this between machines

Sharing cybersecurity data—while protecting privacy (FierceITSecurity) I am here at the annual conference of the Advanced Cyber Security Center, a non-profit consortium of New England-based industry, university and government organizations set up to encourage sharing of cyber threat information, as well as conduct cybersecurity research and development

The Impact of Social Media on Information Security (Cyveillance) Social media continues to presents challenges for security professionals as more platforms emerge and more employees and customers than ever interact with them every day. Data leakage via social media platforms and user-generated content websites can compromise customer data, intellectual property, and confidential business operations

BYOD is 'an unregulated mess,' says IT security expert (FierceMobileIT) The BYOD trend gaining traction across enterprises isn't a strategy and it certainly isn't something chief information officers should sign off on, warns an IT security mogul

CISOs often neglect supply chain security, warns HP (FierceITSecurity) Many breaches occur because of lax supplier security

Cyber-security and the PSAP [public safety answering point] (PoliceOne) DHS and FBI outline the increase in attacks on PSAPs and express concerns about keeping public safety communications secure

Cyber crime: the latest big threat to insurers on the rise (Actuarial Post) The prophets of doom are doing a roaring trade. The latest subject of apocalyptic predictions for the western way of life is cyber security. It seems that everyone is interested in the contents of your computer systems, and increasingly, in damaging these systems to make your life and your business harder than it already is. The evidence from government and security services as well as numerous industry surveys and studies is that cyber risk is on the up. Many attempts have been made to estimate the cost of cyber crime to the global economy, with the result being an estimated impact of somewhere between $100bn and $1tn. Organisations need to act fast

Energy companies can't stop cyberattacks, expert says (Fuel Fix) Energy companies are on the front lines of the cyberthreats facing the nation, with all of them likely to be infiltrated by hackers no matter what precautions they take, an expert said during the API Cybersecurity Conference & Expo in Houston on Tuesday

Marketplace

Pentagon Awards Drop as Shutdown Intensifies U.S. Cuts (Bloomberg) Pentagon contracts plunged 66 percent to $15.7 billion last month, the lowest level since January, driven by automatic U.S. spending cuts and a partial government shutdown

DISA considers scrapping $450 million cloud contract (C4ISR & Networks) The Defense Information Systems Agency is considering canceling its planned $450 million commercial cloud contract, following lower than expected demand for those services

New Rivet Joint intelligence aircraft lands at RAF Waddington (The Lincolnite) Known as Project Airseeker, the procurement of the Boeing RC-135V/W RJ system will give the UK world class airborne Signals Intelligence capability

General Dynamics Awarded $25 Million to Modernize U.S. Air Force Network Security Globally (Digital Journal) General Dynamics Information Technology to deliver cyber security and network defense to all U.S. Air Force and Air National Guard bases

Lockheed Martin Emerging As Dominant Player In Federal Cybersecurity Market (Forbes) Six years after President George W. Bush signed dual directives spawning a sustained increase in federal spending on cybersecurity, a clear leader has begun to emerge from the scores of tech companies that surged into the field. Lockheed Martin, the nation's biggest military contractor, has gradually consolidated its dominance in the government market for network defenses, and is moving to leverage its expertise in dealing with "advanced persistent threats" in the commercial world

BP locking down personal devices in the face of cyber warfare (ComputerWorld) Outgoing CIO Dana Deasy said the threat from cyber is "incredibly real"

In from the cold: the mainstream rehabilitation of the 'hacker' (The Guardian) Sometimes poachers make the best gamekeepers, says Marc Rogers - today's hackers are in high demand

Adobe hacked. Wall Street doesn't care. (CNN Money) Adobe, the software company most famous for Photoshop and PDF converter Acrobat, has been in the news a lot lately…for all the wrong reasons

Products, Services, and Solutions

Simplify SIEM With EventTracker 7.5 (Yahoo! Finance) EventTracker, a leading provider of comprehensive SIEM solutions, announced today the general availability of the newest version of its flagship EventTracker SIEM solution

Oracle Launches Brawnier Big Data Appliance (InformationWeek) Oracle's Cloudera-powered Hadoop box gains new authentication, audit and query options courtesy of the Oracle software stack

Adallom unveils SaaS enterprise security solution (Help Net Security) Adallom announced its complete security solution for SaaS applications, which delivers cloud-based security that audits all SaaS activities and provides real-time mitigation through user activity heuristics

Cryptography Research and Tiempo SAS Sign License Agreement for DPA Countermeasures (Wall Street Journal) Cryptography Research, Inc., a division of Rambus Inc. (NASDAQ:RMBS), and Tiempo SAS (Tiempo), experts in designing and qualifying secure smart card chips, today announced they have signed an architecture license agreement allowing for the use of Cryptography Research's patented security inventions in Tiempo's integrated circuits. By incorporating Cryptography Research's countermeasures onto their devices, Tiempo's products will be protected against differential power analysis (DPA) and related side channel attacks

Arbor Announces New DDoS Protection Service (Dark Reading) Enables ISPs to launch new or enhance existing cloud-based services

Hexis turns defense experience into enterprise analytics (SearchSecurity) KEYW spin-off Hexis Cyber Solutions has introduced a security data analytics system that competes with RSA's former NetWitness entry

Technologies, Techniques, and Standards

Simulated attack on the US power grid planned for Wednesday – Thursday (Kurzweil Accelerating Intelligence) The North American Electric Reliability Corporation (NERC) is quietly planning to launch a simulated attack on the U.S. power grid on Wednesday and Thursday (Nov. 13-14) called GridEx II, according to an unpublished document obtained by KurzweilAI from NERC

Internet Security Alliance to propose beta testing cybersecurity framework (FedScoop) The Internet Security Alliance is calling on the Obama administration to take a lesson from the botched rollout of the federal health care website and establish a "beta-testing phase" for the voluntary cybersecurity framework currently under development by the National Institute of Standards and Technology

Stanford offers tips for blocking email 'phishing' attacks (Stanford News) Information security is everyone's responsibility. IT Services is offering updated guidance on how to help prevent email-based attacks on Stanford's systems

The ultimate guide to MDM in the Middle East (ComputerWorld) "Remember when IT planned corporate-wide end-user technology roll-outs? Distributing company-owned, IT-managed devices was a very controlled process. Employees had to get IT approval to use an unauthorised device, even if it was useful and increased productivity. IT was the gatekeeper of everything enterprise and it ruled the network with a combination of strict policies, purpose-built technologies, and a fully contained ecosystem. Those days are long gone"

Lock Three Doors To Protect Your Data (Dark Reading) Data is at risk when it's at rest, in motion, or in use. Here are some tips for approaching data protection in each state

Design and Innovation

Orange Fab Accelerator Opens In France, Plans More Around The World (TechCrunch) Telecommunication giant Orange unveiled its plan for its startup accelerator named Orange Fab. In addition to announcing that the program is now taking applications for French startups, the company said that it just opened another branch of its accelerator in Japan, and will open another one in Poland in the first half of 2014. Back in March, Orange Fab first launched its accelerator program in

Academia

Colleges partner with NSA and DHS to create cyber–security programs (Campus Reform) Over 150 colleges across the country have partnered with the National Security Administration (NSA) and Department of Homeland Security (DHS) to create cyber-security training program

Students protest NSA session (The Poly Post) A group of students protested the National Security Agency's presence on campus on Wednesday afternoon in the Bronco Student Center by recording an information session on their phones while wearing black tape over their mouths

Hayden and Gellman debate whistleblowers (Duke Chronicle) Just how much Americans ought to know about their government's national security programs was up for debate Monday night

Professors question U.S. intelligence system lack of transparency (Cavalier Daily) Seriatim inaugural speaker event leads American security debate, considers American privacy boundaries

Legislation, Policy, and Regulation

China to Revamp Security Amid Threats at Home and Abroad (Voice of America) China will set up a new "state security committee'' as it seeks to tackle growing social unrest and unify the powers of a disparate security apparatus in the face of growing challenges at home and abroad, the government said on Tuesday

Australian spy agency helped BHP negotiate trade deals (Sydney Morning Herald) BHP was among the companies helped by Australian spy agencies as they negotiated trade deals with Japan, a former Australian Secret Intelligence Service officer says

NSA Leaks Could Inspire a Global Boom in Intrusive Surveillance (MIT Technology Review) Governments already dabbling with authoritarian control of the Internet could be spurred on by learning of NSA surveillance

Quantum of pwnness: How NSA and GCHQ hacked OPEC and others (Ars Technica) Telecom companies gave intel agencies ability to reroute targets' traffic

Our Government Has Weaponized the Internet. Here's How They Did It (Wired) The internet backbone — the infrastructure of networks upon which internet traffic travels — went from being a passive infrastructure for communication to an active weapon for attacks

Spying Scandal Alters U.S. Ties with Allies and Raises Talk of Policy Shift (New York Times) Just as European and American negotiators resumed work on a groundbreaking trade accord meant to tie their two continents closer together, René Obermann, the chief executive of Deutsche Telekom, the German telecommunications giant, told a cybersecurity conference in Germany on Monday that his company was working to keep electronic message traffic from "unnecessarily" crossing the Atlantic, where it could fall into the hands of the National Security Agency

Senate to Start Sweeping Intel Review This Month (Foreign Policy) It will include not only an examination of how the agencies collect information, but how senior government officials direct those activities

Contentious issues loom over upcoming defense bill (CBS News) The Senate has a full plate of legislation Majority Leader Harry Reid, D-Nev., hopes to get through before lawmakers head home for Thanksgiving. Of those issues, the National Defense Authorization Act will take up plenty of the body's time and energy as it encompasses a host of broader issues, from military sexual assault to National Security Agency surveillance to spending

Sensenbrenner: U.S., Europe Should Curb Surveillance (Newsmax) The United States and Europe should work together to develop policies ensuring both security and protection of civil liberties, says Rep. James Sensenbrenner

Litigation, Investigation, and Law Enforcement

After 30 Years of Silence, the Original NSA Whistleblower Looks Back (Gawker) Four decades ago, Perry Fellwock became the NSA's first whistleblower, going to the press to explain the spy agency's immense scope and mission to a public that had barely been allowed to know such an organization existed. His revelations in the radical magazine Ramparts were picked up by the front page of the New York Times. He went on to be a key player in the turbulent anti-surveillance movement of the 1970s, partnering with Norman Mailer and becoming the target of CIA propaganda. But today he's a semi-retired antiques dealer living in Long Island

UK pursuing criminal investigation into NSA leaks (AP via WTSP) A senior British police official says her force is pursuing a criminal investigation following the leak of classified material on U.K. and American intelligence-gathering techniques to the Guardian newspaper

Business, IT, and the Law: 10 Common Mistakes (O'Hanlon and O'Dowd, Solicitors) 10 Random and absolutely unnecessary things we find clients tend to do when it comes to Computers. This is a shortened version of a Lecture to UCC MBA Class on the 25th October 2013

Federal judge: IBM had 'no substantial chance' of winning CIA cloud contract (FierceGovernmentIT) IBM's protest was gamesmanship, Judge Thomas Wheeler also says

10 Year Prison Term Sought for Anonymous Hacktivist Jeremy Hammond (Wired) Anonymous hacktivist Jeremy Hammond should receive the maximum 10 year prison term for defacing law enforcement and corporate websites and stealing 200 gigabytes of email and 60,000 credit card numbers from a private intelligence firm, prosecutors argued in a court

In Lavabit Appeal, U.S. Doubles Down on Access to Web Crypto Keys (Wired) A U.S. email provider can promise its users all the security and privacy it wants; it still has to do whatever it takes to give the government access. That's the gist of the Justice Department's 60-page appellate brief in the

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

Teaching Computer Forensics (Sunderland, England, UK, Nov 14, 2013) The workshop is an opportunity for academics and students in the computer forensics subject area to address the current issues and challenges in a number of themes including (but not exclusive to) student experience, student retention, computer forensics research (and the REF), new technologies (hardware and software), new computer forensics themes (cloud forensics, geo-positional forensics) curriculum changes, legal developments, ethical issues, accreditation and employability.

Cyber Education Symposium (Arlington, Virginia, USA, Nov 19 - 20, 2013) Both the public and the private sectors suffer from a lack of highly trained and effective cyber security leaders. In response, the government, businesses, and academic institutions are all exploring ways to retrain the existing workforce and develop a new pool of cybersecurity professionals capable of meeting the needs of tomorrow. The Cyber Education Symposium offers a rare opportunity for the brightest minds in government (.gov), the private sector (.com), and the educational community (.edu) to convene and discuss trends and challenges in cybersecurity education. The Symposium will provide a forum to identify new ways of thinking about the problem, exchange best practices, and forge a pathway forward that leverages the full resources of our nation's leadership.

APPSEC USA (New York, New York, USA, Nov 18 - 21, 2013) Welcome to Appsec USA 2013, New York - a world class software security conference for developers, auditors, risk managers, and entrepreneurs, bringing you the world's top speakers, the most relevant security topics and an unbeatable atmosphere. Hosted by OWASP.

IT Forum Expo/Black Hat Regional Summit (, Jan 1, 1970) Black Hat Regional Summit will introduce a mix of local in-region experts and researchers from around the globe, discussing the latest trends in information security with an audience of peers. The sessions will provide candid insight and education for IT security professionals.

2nd Annual East Africa IT and Cyber Security Convention 2013 (Nairobi, Kenya, Nov 28 - 29, 2013) The 2nd Annual East Africa IT and Cyber Security Convention 2013 will bring together leading Cyber and IT Security experts who will provide key insights into critical cybersecurity issues surrounding cyber networks, mobile, and IT infrastructures. Enhancing the security, resiliency, and reliability of the nation's cyber and communications infrastructure is a challenge that must be met, attend the East Africa Cyber Security and IT Security Convention 2013 that will equip you with a comprehensive range of clarifications and solutions.

Operationalize Threat Intelligence (Webinar, Dec 4, 2013) Security teams are overloaded with threat feeds. It doesn't end with third party providers. It includes alerts, logs, and tips from their own security and IT solutions. We need help transforming this data into knowledge so we can act. Attendees will learn concepts and best practices that enable organizations to reduce, prioritize and operationalize threat intelligence.

Cloud Security Alliance Congress 2013 (Orlando, Florida, USA, Dec 4 - 5, 2013) The CSA Congress is the industry's premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security. In addition to offering best practices and practical solutions for remaining secure in the cloud, CSA Congress will focus on emerging areas of growth and concern in cloud security, including standardization, transparency of controls, mobile computing, Big Data in the cloud and innovation.

SINET Showcase: THE SINET 16 (Washington, DC, USA, Dec 4 - 5, 2013) The SINET Showcase is supported by the Department of Homeland Security, Science & Technology Directorate and provides a significant opportunity for industry's most innovative global entrepreneurs to present in front of 350 sophisticated investors, buyers and researchers from the commercial and government markets. If a company is selected as one of the SINET 16, it will not only be recognized at the event, but receive access to prospective investors and customers as well. Please note that the deadline to apply for the SINET 16 is August 15th.

The 8th International Conference for Internet Technology and Secured Transactions (London, England, UK, Dec 9 - 12, 2013) The 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013) is an international refereed conference dedicated to the advancement of the theory and practical implementation of secured Internet transactions and to fostering discussions on information technology evolution.

World Congress on Internet Security (London, England, UK, Dec 9 - 12, 2013) The WorldCIS-2013 is an international forum dedicated to the advancement of the theory and practical implementation of security on the Internet and Computer Networks. The inability to properly secure the Internet, computer networks, protecting the Internet against emerging threats and vulnerabilities, and sustaining privacy and trust has been a key focus of research. The WorldCIS aims to provide a highly professional and comparative academic research forum that promotes collaborative excellence between academia and industry.

ACSAC 2013 (New Orleans, Louisiana, USA, Dec 9 - 13, 2013) The Annual Computer Security Applications Conference (ACSAC) is an internationally recognized forum where practitioners, researchers, and developers in information and system security meet to learn and to exchange practical ideas and experiences.

2013 ASE International Conference on Cyber Security (Orlando, Florida, USA, Dec 10 - 15, 2013) The annual ASE Cyber Security Conference is a leading international forum for cyber security researchers, practitioners, developers, and users to explore cutting-edge ideas and results, and to exchange techniques, tools, and experiences. The conference seeks submissions from academia, government, and industry presenting novel research on all practical and theoretical aspects of cyber security. The First ASE International Conference on Cyber Security provides a key forum for researchers and industry practitioners to exchange information regarding advancements in the state of art and practice of cyber security.